A flaw was found in the file:// protocol handler for Windows operating system. An insufficient permission check could cause a remote attacker to gain access to sensitive information.
This issue did not affect OpenJDK builds for Linux.
Public now via Oracle CPU July 2019:
Fixed in Oracle Java SE 12.0.2, 11.0.4, 8u221, and 7u231.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
OpenJDK-11 upstream commit:
OpenJDK-8 upstream commit:
OpenJDK-7 upstream commit: